Improper Encoding or Escaping of Output in awssdk.extensions.cloudfront.signers

Q: How to fix?

Upgrade AWSSDK.Extensions.CloudFront.Signers to version 4.0.0.26 or higher.

Introduced: 27 Mar 2026

How to fix?

Upgrade AWSSDK.Extensions.CloudFront.Signers to version 4.0.0.26 or higher.

Overview

AWSSDK.Extensions.CloudFront.Signers is a package contains extension methods for creating signed URLs for Amazon CloudFront distributions and for creating signed cookies for Amazon CloudFront distributions using canned or custom policies.

Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output through the AmazonCloudFrontUrlSigner and AmazonCloudFrontCookieSigner policy document construction code in the CloudFront signers components. An attacker can alter the intended access restrictions in a signed URL or signed cookie policy by supplying resource or IP values containing quotes, backslashes, or control characters. The issue affects applications that pass untrusted input into CloudFront signed URL/cookie generation APIs such as SignUrl, BuildPolicyForSignedUrl, GetCookiesForCannedPolicy, and GetCookiesForCustomPolicy.

References

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
Low
Attack Requirements (AT)
None
Privileges Required (PR)
None
User Interaction (UI)
None

Confidentiality (VC)
None
Integrity (VI)
Low
Availability (VA)
None

Confidentiality (SC)
High
Integrity (SI)
None
Availability (SA)
None

Improper Encoding or Escaping of Output Affecting awssdk.extensions.cloudfront.signers package, versions [,4.0.0.26)

Severity

Do your applications use this vulnerable package?

Snyk Learn

Introduced: 27 Mar 2026

How to fix?

Overview

References

CVSS Base Scores

Snyk